Cisco Catalyst 4500 Series Command Reference Manual page 89

Chapter 2 Cisco IOS Commands for the Catalyst 4500 Series Switches
The only caveat with the above statement is that web-based authentication is only available for data
devices because a user is probably operating the device and HTTP capability exists. Also, if web-based
authentication is configured in MDA mode, the only form of enforcement for all types of devices is
downloadable ACLs (dACL). The restriction is in place because VLAN assignment is not supported for
web-based authentication. Furthermore, if you use dACLs for data devices and not for voice devices,
when the user's data falls back to webauth, voice traffic is affected by the ACL that is applied based on
the fallback policy. Therefore if webauth is configured as a fallback on an MDA enabled port, dACL is
the only supported enforcement method.
Multi-auth mode classifies the session as a MAC-based. No limit exists for the number of clients allowed
on a port data domain. Only one client is allowed in a voice domain and each one is required to
authenticate separately. Any policies that are downloaded for the client are applied for that client's MAC
or IP only and do not affect others on the same port.
The optional pre-authentication open access mode allows you to gain network access before
authentication is performed.This is primarily required for the PXE boot scenario, but not limited to just
that use case, where a device needs to access the network before PXE times out and downloads a
bootable image possibly containing a supplicant.
The configuration related to this feature is attached to the host-mode configuration whereby the
host-mode itself is significant for the control plane, while the open access configuration is significant
for the data plane. Open-access configuration has absolutely no bearing on the session classification.
The host-mode configuration still controls this. If the open-access is defined for single-host mode, the
port still allows only one MAC address. The port forwards traffic from the start and is only restricted by
what is configured on the port. Such configurations are independent of 802.1X. So, if there is no form
of access-restriction configured on the port, the client devices have full access on the configured VLAN.
You can verify your settings with the show authentication privileged EXEC command.
Examples
This example shows how to define the classification of a session that are used to apply the
access-policies using the host-mode configuration:
Switch(config-if)# authentication host-mode single-host
Switch(config-if)#
Related Commands Command
show authentication
OL-25342 -01
Description
Displays Authentication Manager information.
Catalyst 4500 Series Switch Cisco IOS Command Reference—Release IOS XE 3.3.0SG and IOS 15.1(1)SG)
authentication host-mode
2-31